The value of data assets in a US M&A deal: three key questions to ask

March 2014 | PROFESSIONAL INSIGHT | MERGERS & ACQUISITIONS

Financier Worldwide Magazine

March 2014 Issue

Data is a valuable asset in the information economy. Companies have only recently begun to unlock that value to capitalise on some of the biggest opportunities in the marketplace today, including cloud computing, big data and analytics, social networking, globalisation and ecommerce. However, the big value of data carries equally big risks: regulators are aggressive; hackers are becoming more sophisticated; and data breach costs can be staggering.

Companies are increasingly focused on data in their corporate acquisitions, particularly in the United States. Sellers often tout the value of untapped data in their possession and interested buyers may develop a business plan for that data post-closing. Numerous data issues arise in an acquisition, but three questions can strike at the core of the deal: What laws may restrict the transfer or anticipated use of the data post-closing? What contractual restrictions may be imposed by the sources of the data? Has the seller incurred material liabilities associated with the data?

Answers to these questions affect deal valuation, the scope of due diligence, the transaction documents and post-closing planning.

US data privacy and security regulation

Unlike many other nations, the United States does not have a single data protection law. Instead, US federal and state governments have adopted numerous laws, each of which typically applies to different types of personal information. The restrictions imposed by those laws vary widely and, in the end, a single US data set may be subject to heavy regulation, no regulation or something in between. Health information, for example, is generally subject to stringent and detailed US federal and state regulations, while other consumer information may be subject to less onerous consumer protection laws, which generally require use and disclosure of personal data in accordance with promises made at the time of collection. These laws may even create complications for the legal transfer of data from seller to buyer at closing.

In light of these different regulations, sophisticated buyers carefully develop plans for lawful data use post-closing. During due diligence, buyers identify the sources and content of a seller’s data and confer with counsel to determine legal restrictions on the transfer and future use of that data. By taking these measures before signing, a buyer can avoid the disappointment of being unable to lawfully use the data as planned, and any resultant devaluation of the seller’s assets.

Contractual data rights and obligations

As the potential risks and rewards of data assets become clear, data providers increasingly impose obligations on the recipients of the data. A business-to-business vendor, for example, may obtain volumes of valuable data from its corporate clients. Those vendors, however, are increasingly required to comply with contracts that impose stringent restrictions on the use and disclosure of that data. Those restrictions often provide that the vendor may only use and disclose the client’s data to perform the contracted services and may not use or disclose the data for any other purpose. Even after the client agreement expires or terminates, the vendor is often required to return or destroy the client’s data. These types of contractual limitations may severely limit the value of a seller’s data and negatively impact any buyer plans to use the data post-closing.

In addition to these limitations, data providers are imposing significant data-related obligations on their vendors. Those obligations vary, but may include requirements to engage independent third parties to perform periodic IT and security assessments or audits, physically segregate a client’s data from other clients’ data, implement specific encryption technology and access controls, adopt background checks and comply with the client’s security policies. Ongoing compliance with these obligations may require significant security technology investments and compliance costs, which may become even more pronounced and costly in the event they apply to a buyer’s larger IT infrastructure post-closing.

Data liabilities

Failure to comply with US data-related laws can result in significantly liability. Regulators are increasing civil penalties and, in some cases, making non-compliance criminal. For instance, recent amendments to the Health Insurance Portability and Accountability Act (HIPAA) allow US regulators to impose penalties of up to $1.5m annually per type of violation and other US regulators have imposed penalties in excess of $20m for data practices deemed unfair or deceptive under US consumer protection laws. Meanwhile, the White House, Congress and consumer advocates have been pushing for additional regulation and stepped-up enforcement.

Although significant, government fines and penalties may be small in comparison to the cost of a data breach. A 2013 Ponemon Institute study found that the average data breach (involving less than 10,000 records) in the United States cost the affected company approximately $5.4m (or $188 per compromised record). Large data breaches can cost much more and result in significant reputational harm. In addition, data breaches are now typically followed by class action lawsuits and shareholder derivative litigation, which further increase potential liabilities.

Effect on the transaction

In light of these risks, many buyers are expanding their due diligence review of a seller’s data practices by, among other things, reviewing the seller’s data compliance programs, data-related contracts and security processes and engaging lawyers and IT assessment firms to review the seller’s systems and practices. Meanwhile, buyers are negotiating specific data-related representations, warranties, closing conditions and indemnities in the transaction documents and developing post-closing remediation plans to address any identified weaknesses.

In an acquisition, smart buyers treat data in the same way as they do a seller’s other significant corporate assets: they determine the data’s value, how the data can be lawfully used and what risks the data carries before signing.

Scott Loughlin is an associate at Hogan Lovells. He can be contacted on +1 (202) 637 5565 or by email: scott.loughlin@hoganlovells.com.